Lessons we can learn from the ICO fines

Lessons we can learn from the ICO fines

Lessons we can learn from the ICO fines2019-01-022019-01-02https://tridentassuranceservices.co.uk/wp-content/uploads/2017/11/tas.pngTridenthttps://tridentassuranceservices.co.uk/wp-content/uploads/2019/01/fines-shutterstock_491945455.jpg200px200px

With the introduction of GDPR in May 2018, there was much talk of the fines that may be imposed for non-compliance. Some of this was scare-mongering. However, we are now beginning to see the Information Commissioners Office (ICO) start to use its powers and over recent weeks and months we have seen organisations fined for non-compliance.

So what are organisations being fined for?Firstly we are seeing the first organisations being fined for non-payment of the annual data protection fee. All organisations or sole traders who process personal information must pay the fee to the ICO, unless they are exempt. The fee varies depending on your organisation but can be as little as £35. Fines can be up to £4350.

Are your marketing calls and emails legal?We are all aware that marketing calls and emails are a key issue within data protection legislation and we are now seeing companies being fined for illegal practice:

Solartech North East was fined £90,000 for making nearly 75,00 calls to numbers registered with the TPS (telephone preference service) and DM Design Bedrooms was also fined £160,000 for making nuisance calls. Boost Finance (a London-based marketing company) was fined £90,000 for sending ‘nuisance emails’ promoting pre-paid funeral plans.

Are you keeping personal data secure?Another crackdown by the ICO is on the security of personal data. Uber was fined £385,000 for failing to protect customer personal information during a cyber attack. Heathrow Airport was fined £120,000 for failing to ensure personal data on their network was properly secured. And Bupa Insurance Services was fined £175,000 for failing to have effective measures in place to protect customers’ personal information.

What do you need to do?
You need to ensure you are processing personal data securely by means of ‘appropriate technical and organisation measures’. In order to comply you must consider risk analysis, an information security policy and whether you need to use measures such encryption or pseudonymisation. See the ICO’s advice on security. You should also consider whether to implement a framework such as Cyber Essentials or conform to standards such as ISO 27001 (we can help you with this).

And what about individuals?And it’s not just organisations who are being fined. The ICO is prosecuting individuals who have breached data protection laws:

A former nurse at Southport and Ormskirk Hospital NHS Trust, was prosecuted for accessing patient medical records without authority. And a former recruitment consultant, was prosecuted for illegally obtaining personal information (he took CVs from his former employer’s database).

What do you need to do?
Ensure your staff are fully trained and understand their responsibilities under GDPR and other data protection legislation.

Don’t be caught out – you need to ensure your organisation is compliant. You can keep abreast of the recent ICO enforcement actions by visiting the enforcement page of the ICO’s website. If you need help with your compliance, we offer a GDPR consultancy service offering information, advice and support. Get in touch.

We can offer a GDPR consultancy service. Our senior consultant, Brian Penfold, a qualified GDPR practitioner has 30 years of extensive experience in risk management, safety, compliance and assurance in highly-regulated environments. We can tailor our service to suit your requirements. Get in touch for a free no-obligation consultation.